7

Using IPSEC with VPN Gateways

• Configuring load balancing between VPN gateways
• The VPN sandwich configuration with IPSEC
• Additional configuration options

Configuring load balancing between VPN gateways

The previous chapter shows how to load balance across three VPN gateways, using a VPN sandwich configuration. The IPSEC protocol (Internet Protocol Security) enables you to load balance between gateways as well. Figure 7.1 shows inbound IPSEC traffic being load balanced to one of three destination VPN gateways.

Figure 7.1 VPN load balancing between VPN gateways

In this configuration, address translation is on and IPSEC is in tunnel mode with ESP (Encapsulation Security Payload) specified. The hop shown by the blue arrow represents the IPSEC part of the transmission. A packet originating from Client1 with Client6 as its destination is encapsulated by the VPN gateway (VPN5) serving the client and traverses the Internet in this secure form. The BIG-IP Controller then demultiplexes the packet and load balances it to one of three destination gateways: VPN1, VPN2, or VPN3. The VPN to which it is load balanced then becomes the established gateway, or tunnel, for packets from VPN5. Traffic from Client1, a separate VPN connection, would be load balanced to a different destination VPN.

For this configuration to work, IPSEC requires certain special settings on the clients and servers, and on the BIG-IP Controller:

• On clients and servers, IPSEC must be configured in tunnel mode with ESP.
• You must enable Any IP mode for the virtual servers on the controller.
• Enable address translation on the controller.
• Enable UDP on the controller to support internet key exchange (IKE) traffic.
• Enable persistence across services on the controller.

Configuring IPSEC load balancing

First, configure your servers and clients for IPSEC tunnel mode with ESP. Refer to the documentation provided with the server or client. Be sure to use the same security association for all clients.

Next, complete the following tasks on the BIG-IP Controller:

• Create two load balancing pools
  Create two load balancing pools for the VPN destination gateways, one specifying port 500 for internet key exchange, one specifying a wildcard service (0) for Any IP mode.
• Create two virtual servers
  Create two virtual servers for referencing the two pools, one specifying port 500 for internet key exchange, one specifying a wildcard service (0) for Any IP (IPSEC) traffic.
• Enable UDP
  Enable UDP for internet key exchange (IKE) traffic.
• Enable persistence
  Enable persistence across services.

Defining the pools

First, define one pool that load balances the VPN destination gateways with a wildcard port, and one pool for load balancing the VPN destination gateways handling service 500 traffic.

To create pools using the Configuration utility

Use this procedure for each BIG-IP Controller that you need to configure.

1. In the navigation pane, click Pools.
   The Pools screen opens.
2. Click the Add button.
   The Add Pool screen opens.
3. In the Add Pool screen, configure the attributes you want to use for the pool. For additional information about this screen, click the Help button.
   
   

   Configuration notes

   · Create a VPN pool named vpn_anyip. This pool contains the outside addresses of the three VPN destination gateways with service zero.

   · Create a VPN pool named vpn_ike. This pool contains the outside addresses of the three VPN destination gateways with service 500.

To define pools from the command line

Use the following syntax to define the pools at the command line:

b pool <pool_name> { member <member1> member < member2> ...> }

To create the configuration described in this solution, type the following commands:

b pool vpn_anyip { member 10.1.10.1:0 member 10.1.10.2:0 member 10.1.10.3:0 }

b pool vpn_ike { member 10.1.10.1:500 member 10.1.10.2:500 member 10.1.10.3:500 }

Defining the virtual servers

After you define the pools for the VPNs, you can define the following virtual servers on the BIG-IP Controller.

• A virtual server to load balance internet key exchange traffic
• A virtual server to load balance Any IP (IPSEC) traffic

To define the virtual server using the Configuration utility

Use this procedure for each BIG-IP Controller that you need to configure.

1. In the navigation pane, click Virtual Servers.
2. Click the Add button.
   The Add Virtual Server screen opens.
3. Fill in the attributes for the virtual server. For additional information about this screen, click the Help button.
4. For each of the two VPN load-balancing virtual servers:
5. Click the Virtual Address Properties tab.
   The Virtual Address Properties screen opens.
6. In the Any IP Traffic field, check the Enable box. Then click Apply.
   
   

   Configuration notes

   · Create the virtual server 192.168.13.100:0 and use the pool vpn_anyip.

   · Create the virtual server 192.168.13.100:500 and use the pool vpn_ike.

To define the virtual servers from the command line

Define the virtual servers from the command line as follows:

b virtual 192.168.13.100:0 use pool vpn_anyip

b virtual 192.168.13.100:500 use pool vpn_ike

Then, enable Any IP for both virtual servers:

b virtual 192.168.13.100 any_ip enable.

Enabling UDP

After you enable Any IP for the virtual servers, enable UDP 500 so the controller can handle internet key exchange (IKE) traffic:

b service 500 udp enable

Enabling persistence across services

Finally, complete the configuration by setting up persistence across services on the BIG-IP Controller:

b global persist_across_services enable

The VPN sandwich configuration with IPSEC

You can load balance content servers to incoming IPSEC traffic by adding a second BIG-IP Controller in a VPN sandwich configuration. Figure 7.2 shows the VPN sandwich configuration.

Figure 7.2 VPN load balancing between VPN gateways

When you set up the sandwich configuration, the configuration tasks you use are identical to those you use for the basic VPN IPSEC configuration. The exceptions are that you configure a load balancing pool and virtual server on the second BIG-IP Controller.

Defining the additional pool

To create the pool using the Configuration utility

For the BIG-IP Controller BIG-IP 2:

1. In the navigation pane, click Pools.
   The Pools screen opens.
2. Click the Add button.
   The Add Pool screen opens.
3. In the Add Pool screen, configure the attributes you want to use for the pool. For additional information about this screen, click the Help button.
   
   

   Configuration note

   · Create a VPN pool named server_pool. This pool contains as members the addresses of the four content servers, server1, server2, server3, and server4.

To define the pool from the command line

Use the following syntax to define the pools from the command line:

b pool <pool_name> { member <member1> member < member2> ...> }

To create the configuration described in this solution, type the following command.

b pool server_pool { member 10.1.2.1:80 member 10.1.20.2:80 member 10.1.20.3:80 member 10.1.20.4:80 }

Defining the additional virtual server

To define the additional virtual server using the Configuration utility

For each BIG-IP Controller to be configured:

1. In the navigation pane, click Virtual Servers.
   The Virtual Servers screen opens.
2. Click the Add button.
   The Add Virtual Server screen opens.
3. Fill in the attributes for the virtual server. For additional information about this screen, click the Help button.
   
   

   Configuration note

   · Create the virtual server 10.1.20.10:80 and use the pool server_pool.

To define the virtual server from the command line

To define the virtual server from the command line, type the following command.

b virtual 10.1.20.10:80 use pool server_pool

Additional configuration options

Whenever you configure a BIG-IP Controller, you have a number of options:

• You have the option in all configurations to configure a redundant BIG-IP Controller for fail-over. Refer to Redundant Systems in the BIG-IP Reference Guide, Chapter 1, Configuring the BIG-IP Controller.
• All configurations have health monitoring options. Refer to Health Monitors in the BIG-IP Reference Guide, Chapter 1, Configuring the BIG-IP Controller.
• When you create a pool, there is an option to set up persistence and a choice of load balancing methods. Refer to Pools in the BIG-IP Reference Guide, Chapter 1, Configuring the BIG-IP Controller.